Feodora - stock.adobe.com

Health App Security Bug Exposed COVID-19 Vaccine Records

COVID-19 vaccine records from residents of New Jersey and Utah were exposed due to a security bug in the health app Docket.

UPDATE 11/8/21: Docket confirmed that only one individual was able to successfully reverse engineer its API to exploit the vulnerability, and "less than a handful of QR codes were inappropriately accessed." Docket immediately engaged with public health partners and notified impacted individuals.

Some residents of New Jersey and Utah who use the health app Docket had their COVID-19 vaccination records exposed due to a security bug in the application, TechCrunch discovered.

Docket serves as a digital vaccine passport that allows users to carry an official copy of their immunization records or a QR code signifying their vaccination status. The app was previously endorsed by New Jersey and Utah state officials. 

TechCrunch discovered the bug on October 26 and immediately notified Docket. The bug allowed anyone to access the QR codes of other users along with the other protected health information (PHI) associated with it. Any user could see the names, birth dates, and specific vaccination information of any other user.

Michael Perretta, the health app’s CEO, said that the company fixed the bug within a few hours of being notified. Perretta declined to answer TechCrunch’s questions about what kind of security testing was done before Docket launched.

“The user’s QR code is generated on the server in the form of a SMART Health Card, a widely accepted standard for validating a person’s vaccination status across the world. That QR code is tied to a user ID, which isn’t visible from the app, but can be viewed by looking at its network traffic using off-the-shelf software like Burp Suite or Charles Proxy,” TechCrunch explained.

“But Docket’s servers weren’t checking to make sure the person requesting a QR code was allowed to request it. That meant it was possible for any app user to change their user ID and request someone else’s QR code. Worse, Docket user IDs are sequential, and so new QR codes could be enumerated simply by changing the user ID by a single digit.”

A few other vaccine passport apps have faced similar issues. An app called Aura exposed thousands of QR codes through a nearly identical security bug and exposed vaccination records, and Portpass exposed the personal information of hundreds of thousands of users.

The Federal Trade Commission (FTC) recently released a policy statement affirming that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule. The policy statement signified growing concern over the lack of regulation at the intersection of healthcare and tech companies.

COVID-19 necessitated the rapid development of new technologies to aid in making vaccine appointments, contact tracing, and record storage. However, the urgency raised concerns over whether proper privacy and security measures were being taken throughout the development of new apps and other technology.

In February, a group of Senators and Congressional members proposed the Public Health Emergency Privacy Act, aimed at safeguarding personal data in relation to COVID-19 tech.

Others share concerns over digital vaccine credentialing services in terms of health equity. The pandemic exposed extreme inequities across the US healthcare system, and vaccine credentialing systems may have the potential to disadvantage marginalized groups further.

Security and privacy issues continue to arise, but the need for reliable and secure COVID-19 tech is still pressing.

Next Steps

Dig Deeper on Healthcare data breaches